Merge pull request hashicorp#313 from hashicorp/panos-srgs

add restrict-panos-srgs policy

Author: jboero

governance/third-generation/cloud-agnostic/restrict-panos-srgs.sentinel

@@ -0,0 +1,37 @@
+# This policy uses the Sentinel tfplan/v2 import to restrict the
+# destination addresses of Palo Alto Networks security rule groups
+# to not have "any".
+
+# Import common-functions/tfplan-functions/tfplan-functions.sentinel
+# with alias "plan"
+import "tfplan-functions" as plan
+
+# Get all Security Rule Groups
+allSRGs = plan.find_resources("panos_security_rule_group")
+
+# Validate Security Rule Groups
+violatingSRGsCount = 0
+for allSRGs as address, srg {
+
+  # Find the rules of the current SRG
+  rules = plan.find_blocks(srg, "rule")
+
+  # Filter to violating rules that contain "any" in destination_addresses
+  # Warnings will not be printed for violations since the last parameter is false
+  violatingRules = plan.filter_attribute_contains_items_from_list(rules,
+                 "destination_addresses", ["any"], false)
+
+  # Print violation messages
+  if length(violatingRules["messages"]) > 0 {
+    violatingSRGsCount += 1
+    print("SRG Rule Violation:", address, "has at least one rule",
+          "with destination_addresses containing \"any\".")
+    plan.print_violations(violatingRules["messages"], "Rule")
+  }  // end if
+  
+} // end for SRGs
+
+# Main rule
+main = rule {
+  violatingSRGsCount is 0
+}

governance/third-generation/cloud-agnostic/sentinel.hcl

@@ -104,6 +104,11 @@ policy "restrict-databricks-clusters" {
     enforcement_level = "advisory"
 }
 
+policy "restrict-panos-srgs" {
+    source = "./restrict-panos-srgs.sentinel"
+    enforcement_level = "advisory"
+}
+
 policy "restrict-remote-state" {
     source = "./restrict-remote-state.sentinel"
     enforcement_level = "advisory"

governance/third-generation/cloud-agnostic/test/restrict-panos-srgs/fail.hcl

@@ -0,0 +1,15 @@
+module "tfplan-functions" {
+  source = "../../../common-functions/tfplan-functions/tfplan-functions.sentinel"
+}
+
+mock "tfplan/v2" {
+  module {
+    source = "mock-tfplan-fail.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = false
+  }
+}

governance/third-generation/cloud-agnostic/test/restrict-panos-srgs/mock-tfplan-fail.sentinel

@@ -0,0 +1,176 @@
+terraform_version = "1.0.10"
+
+variables = {}
+
+resource_changes = {
+	"panos_security_rule_group.devtodmz": {
+		"address": "panos_security_rule_group.devtodmz",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"position_keyword":   null,
+				"position_reference": null,
+				"rule": [
+					{
+						"action": "allow",
+						"applications": [
+							"any",
+						],
+						"categories": [
+							"any",
+						],
+						"data_filtering": null,
+						"description":    "test",
+						"destination_addresses": [
+							"any",
+						],
+						"destination_zones": [
+							"dmz",
+						],
+						"disable_server_response_inspection": null,
+						"disabled":                           null,
+						"file_blocking":                      null,
+						"group":                              null,
+						"hip_profiles": [
+							"any",
+						],
+						"icmp_unreachable":   null,
+						"log_end":            true,
+						"log_setting":        null,
+						"log_start":          null,
+						"name":               "allow dev to dmz",
+						"negate_destination": null,
+						"negate_source":      null,
+						"schedule":           null,
+						"services": [
+							"application-default",
+						],
+						"source_addresses": [
+							"10.1.1.0/24",
+						],
+						"source_users": [
+							"any",
+						],
+						"source_zones": [
+							"dev",
+						],
+						"spyware":           null,
+						"tags":              null,
+						"type":              "universal",
+						"url_filtering":     null,
+						"virus":             null,
+						"vulnerability":     null,
+						"wildfire_analysis": null,
+					},
+				],
+				"vsys": "vsys1",
+			},
+			"after_unknown": {
+				"id": true,
+				"rule": [
+					{
+						"applications": [
+							false,
+						],
+						"categories": [
+							false,
+						],
+						"destination_addresses": [
+							false,
+						],
+						"destination_zones": [
+							false,
+						],
+						"hip_profiles": [
+							false,
+						],
+						"services": [
+							false,
+						],
+						"source_addresses": [
+							false,
+						],
+						"source_users": [
+							false,
+						],
+						"source_zones": [
+							false,
+						],
+					},
+				],
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "devtodmz",
+		"provider_name":  "registry.terraform.io/paloaltonetworks/panos",
+		"type":           "panos_security_rule_group",
+	},
+	"panos_zone.dev": {
+		"address": "panos_zone.dev",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"enable_user_id": false,
+				"exclude_acls":   null,
+				"include_acls":   null,
+				"log_setting":    null,
+				"mode":           "layer3",
+				"name":           "dev",
+				"vsys":           "vsys1",
+				"zone_profile":   null,
+			},
+			"after_unknown": {
+				"id":         true,
+				"interfaces": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "dev",
+		"provider_name":  "registry.terraform.io/paloaltonetworks/panos",
+		"type":           "panos_zone",
+	},
+	"panos_zone.dmz": {
+		"address": "panos_zone.dmz",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"enable_user_id": false,
+				"exclude_acls":   null,
+				"include_acls":   null,
+				"log_setting":    null,
+				"mode":           "layer3",
+				"name":           "dmz",
+				"vsys":           "vsys1",
+				"zone_profile":   null,
+			},
+			"after_unknown": {
+				"id":         true,
+				"interfaces": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "dmz",
+		"provider_name":  "registry.terraform.io/paloaltonetworks/panos",
+		"type":           "panos_zone",
+	},
+}
+
+output_changes = {}